Segregation of Incompatible Duties

What is segregation of duties?

Segregation of duties (SOD) is a type of control activity and it is a fundamental element of internal controls. The principle of SOD is to share responsibilities in a key process, and no one individual should perform two or more of the following functions:

  • Custody
  • Authorization or approval
  • Recording or reporting

For example, the person who has access to cash should not be the same person who reconciles cash. The person who authorizes a change to the company system should not be the same person who makes the change.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 framework clearly requires organizations to address SOD (it is one of the points of focus under Risk Assessment). The American Institute of Certified Public Accountants (AICPA ) recommends that external auditors consider SOD in a financial statement audit because inadequate segregation of duties may increase the fraud risks of misappropriation of assets. The lack of SOD is a common risk in many organizations. Management should address SOD in internal controls because an effective internal control system requires appropriate separation of responsibilities.

There are some misunderstandings about SOD. One is that some people tend to believe the IT Information Technology (IT) department in an organization is responsible for SOD by setting up proper user roles and user accesses in the organization’s systems. The fact is that the IT department only sets up proper user roles and user accesses after management provides them the proper SOD mapping. For example, the CFO and/or the Controller determine the accounting personnel’s roles and accesses first, and then the IT department sets up the pre-determined roles and accesses in the accounting system. Another misunderstanding is that some people think that SOD only exists in the organization’s systems. The fact is that SOD also exists in manual processes so it is important to map SOD conflicts for key financial cycles.

SOD considerations for several key financial cycles:

Cash Receipt: Cash receipt may be the most critical process in the revenue generation cycle. How do you ensure the cash receipt is handled properly? Here are some SOD considerations:

  • The person responsible for the receipt of cash should not be the same person who records the cash transactions in the accounting system.
  • The person responsible for reconciling cash bank accounts should not be the same person who has access to cash (including the receipt of cash and the deposit of cash).
  • The person responsible for making adjustments and issuing credit memos should not be the same person who has access to cash.
  • The person responsible for authorizing adjustments and credit memos should not be the same person who has access to cash.

Procurement: Procurement or Procure-to-Pay is another key financial cycle in most organizations. How do you segregate incompatible duties in the procurement cycle?

  • The person who initiates purchase requisitions should not be the same person who authorizes the purchase requisitions.
  • The person who is involved in the purchasing function should not be the same person who records these purchase transactions.
  • The person who receives the goods, materials or services should not be the same person who is involved in the purchasing function or disbursement process.

Cash Disbursement: Cash disbursement is a critical part in the Procure-to-Pay cycle. How do you ensure there is proper SOD in the disbursement process?

  • The person responsible for maintaining the vendor master file should not be the same person who authorizes changes to the vendor master file.
  • The person responsible for three-way match should not be the same person who is involved in purchasing, receipt of goods, materials or services, or maintaining the vendor master file.
  • The person responsible for printing checks should not be the same person who records disbursement.
  • The person responsible for signing and approving checks should not be the same person who prints checks.

Fixed Assets: Fixed Assets is always a “big” number on an organization’s balance sheet and it is a critical component to evaluate an organization’s performance. How do you protect your fixed assets?

  • The person responsible for purchasing or disposing of fixed assets should not be the same person who records these transactions in the accounting system.
  • The person who approves any adjustments to fixed assets should not be the same person who has access to fixed assets (including physical count of fixed assets and the access to fixed assets records).
  • The person who counts fixed assets should not be the same person who has access to fixed assets records.

Payroll: Payroll is another key financial cycle in most organizations. How do you ensure there are no ghost employees and payroll is properly reconciled?

  • The person who processes payroll should not be the same person who approves payroll.
  • The person who modifies the employee master file should not be the same person who processes payroll.
  • The person who reconciles payroll should not be the same person who can modify the payroll system.

Of course, there are other financial cycles and some other considerations you need to know in order to properly segregate duties in your organization. To help you better segregate duties, we have available, 6 Steps to Segregate Incompatible Duties, to provide an approach to separate incompatible responsibilities.

Download 6 Steps to Segregate Incompatible Duties


Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.